Accelerate China region browsing experience via AliYun Global Accelerator

Setup AliYun GA

Setup HAProxy / Nginx to load subdomain

HaProxy solution

nano /etc/haproxy/haproxy.cfg

# generated 2022-02-11, Mozilla Guideline v5.6, HAProxy 2.5, OpenSSL 1.1.1k, intermediate configuration

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private
# intermediate configuration
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-dh-param-file /etc/haproxy/dhparam


defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000

#------
# HTTPS Frontend listener
#------

frontend http_frontend
    bind :80
    mode http
    redirect scheme https code 301 if !{ ssl_fc }

frontend https_frontend
    bind :443
    option tcplog
    mode tcp

    # Enable SSL Passthrough, TCP Transparent proxy
    tcp-request inspect-delay 5s
#    tcp-request content capture req.ssl_sni len 25
    tcp-request content accept if { req.ssl_hello_type 1 }

#------
# ACL
#------

acl acl_cn_media    req_ssl_sni -i cn-media.xxx.com
acl acl_cn_assets   req_ssl_sni -i cn-assets.xxx.com
acl acl_cn_www      req_ssl_sni -i cn.xxx.com

#------
# ACL Condition
#------

    use_backend cn_www     if acl_cn_www
    use_backend cn_media   if acl_cn_media

#    use_backend cn_www     if { req_ssl_sni -i cn.xxx.com }
#    use_backend cn_media   if { req_ssl_sni -i cn-media.xxx.com }
    default_backend cn_media

#------
# Backend services
#------

backend cn_www
    mode tcp
    option ssl-hello-chk
    server elb 1234.ap-southeast-1.elb.amazonaws.com:443

backend cn_media
    mode tcp
    option ssl-hello-chk
    server cloudfront 1234.cloudfront.net:443

Nginx Solution

# 加入 tcp stream 
nano /etc/nginx/nginx.conf

include /etc/nginx/tcpconf.d/*;

# 設定 tcp stream
nano /etc/nginx/tcpconf.d# cat cn-xxx.proxy

stream {

  map $ssl_preread_server_name $targetBackend {
    cn-media.xxx.com  1234.cloudfront.net:443;
    cn-assets.xxx.com 1234.cloudfront.net:443;
  }

  server {
    listen 443;

    proxy_connect_timeout 1s;
    proxy_timeout 3s;
    resolver 1.1.1.1;

    proxy_pass $targetBackend;
    ssl_preread on;
  }
}